This article is more than nine months old

Sui blockchain dodged shutdown after CertiK discovered ‘Hamster Wheel Attack’

  • The ‘critical’ vulnerability threatened to bring down the $403 million Sui blockchain.
  • Crypto auditor CertiK gets a win after stumbling earlier this year on rating security of other blockchain projects.

Crypto auditing firm CertiK discovered a bug in the recently-launched Sui blockchain that threatened to bring the $403 million network grinding to a halt.

The bug, dubbed “The Hamster Wheel Attack,” could have stopped Sui from processing new transactions, locking the network in an indefinite loop where it constantly re-checked old transactions without resolving them.

“The Hamster Wheel Attack, had it been executed, would have caused significant disruption to the Sui blockchain, resulting in what’s known as a ‘network shutdown.’” Kang Li, Chief Security Officer at CertiK, told DL News.

Sui's total value locked, a metric for investor deposits in DeFi

The vulnerability

CertiK informed Sui of the vulnerability on April 27, and the next day Sui released a patch to fix it. On April 30, Sui confirmed the severity of the problem as critical.

The work was a much needed win for CertiK. In April, the crypto auditor bestowed a security score of 90 on Merlin, a newly-launched decentralised exchange on the zkSync Era blockchain. Merlin “pulled the rug” on investors after its developers turned rogue and stole $1.82 million of users’ cash.

Many in the DeFi community criticised CertiK for failing to disclose mechanisms in the code that let its developers run off with user’s deposits.

NOW READ: Sui launch throws market makers’ cut into spotlight: ‘No one really knows what the terms of the deal are’

In appreciation of CertiK’s discovery, Sui paid the firm a $500,000 reward on May 16 under the conditions of its bug bounty program.

Join the community to get our latest stories and updates

“While the impact of the attack is severe, it wouldn’t render the blockchain permanently inoperable,” Li said. But deploying a fix would require all nodes in the network to update their software, which can be a complex and time-consuming process, he said.

“Until this update was rolled out across the network, the blockchain would remain inoperative,” Li said.

When a blockchain halts

The ability to send transactions unimpeded is arguably the most important feature blockchains have to offer. Crypto supporters laud blockchains for their ability to process monetary transactions 24 hours, seven days a week, compared to the traditional banking system, where transactions can sometimes take days to settle.

So when a blockchain fails in this task, onlookers see it as a very serious issue. The Solana blockchain, a competitor to Sui, has been harshly criticised after several network shutdowns in recent months brought transaction processing to a halt for hours at a time.

The price of the Sui blockhain's native currency SUI

The Sui blockchain currently secures $11.4 million of deposits. However, its native SUI token, which also relies on the network, has a market capitalisation of $403 million.

Mysten Labs, the firm behind the Sui blockchain, did not immediately respond to DL News’ request for comment.

NOW READ: BlackRock’s Bitcoin ETF surprise sets up battle with Gensler’s SEC

Finding a critical vulnerability in a major blockchain will likely help CertiK regain some of the credibility with the crypto community it lost in recent months.

In May, developers behind another CertiK-audited DeFi protocol called Swaprum ran off with $3 million.

Dyma Budorin, CEO of blockchain security firm Hacken, told DL News at the time that Swaprum developers “left an upgradability feature in their smart contract, which they used to drain user funds.”

But CertiK told DL News that the Swamprum’s upgradability feature wasn’t within the audit’s scope.

Have a tip about bug bounties or DeFi exploits? Contact the author at

Updated on June 19 with a comment from CertiK.

Related Topics